One of the great challenges that security professionals within an organisation face is in articulating the value in investment into security. That’s not to say that security is considered unimportant within the executive team and board, because the typical business is well aware of the risks that poor IT security can present. Rather, the number of security solutions that an organisation deploys through its network makes for a giant jigsaw puzzle, and coupled with tight budgets, it is a difficult process for the IT team to ‘sell up’ each individual new piece to add to the overall puzzle.

RSA regional security evangelist, Michael Lee explains, “I was talking to one customer who had 84 different vendors in their security suite, which was adding a lot of unnecessary complexity and configurations into the organisation.” He further expounds that “There are now around 1,500 vendors supplying security products. Customers want defence in depth, which is indeed critical, but the layers of security being added should ‘talk’ together. Otherwise they are simply not working smarter or efficiently.”

The reliance on single-product security from a wide range of different vendors is instrumental in creating a gap between the information that a security professional generates from the security investment, and what the executives and boards derive from it. Security professionals are interested in understanding how a breach of the organisation’s network happened, and more importantly, how it might be prevented in the future. The boards, meanwhile, are interested in the business risk that this entails; what is the cost of the breach and how should that information be communicated to their customers?

The very different focuses has led to a ‘gap of grief’ situation where a security professional might be overwhelmed with the number of alerts coming in from each piece of security on the network, while the board desperately wants to know at a glance what the damage is. With 70 per cent of businesses admitting to being breached (according to the RSA Cybersecurity Poverty Index, 2016: https://www.rsa.com/en-us/resources/rsa-cybersecurity-poverty-index-2016) in the past year, it’s a common problem faced, and in a second survey, 80 per cent of businesses said that they were unhappy with how their security is working for them (RSA Threat Detection Effectiveness Survey, 2016: https://www.rsa.com/en-us/resources/threat-detection-effectiveness).

This dynamic has long led to discussions about whether it would be a better idea to train the security professionals to better understand the business implications of security breaches, or whether the board should be better trained in the technology to better understand it themselves. Neither solution is ideal, according to RSA’s Lee. Instead, one of the leading priorities for businesses should be to find a way of turning the investment into a business-driven strategy, and adopt a holistic approach to security that centralises the insights and makes them readily, and rapidly, available to all stakeholders in the organisation.

“Security needs have become increasingly complex at a rapid rate, and in that pursuit of defence in depth, organisations are often buying more and more gadgets without thinking about the greater strategy in doing so,” Lee says. “As a result, the technology isn’t talking to other pieces of security technology, and the entire infrastructure develops such significant inefficiencies that the entire network becomes a mess to manage. For a common example we see all the time; a company might have all their vulnerabilities and assets in a database, but that never talks to the two-factor authentication. It helps the overall security of the business in no way to keep these two things separate

“A security professional might be able to manage both of these things separately and understand what each piece of the puzzle is meant to be doing, but it is difficult for the CEO or directors to properly analyse the impact that these technologies are having.”

The security space has become a challenge for resellers as a result, as all levels of the business struggle to justify spending on technology. With such diversity in vendors, no reseller has been able to represent the entire gamut of security solutions to clients, and often has to do heavy customisation work in order to craft solutions that bring multiple vendors together. In addition to being labour-intensive, these solutions are difficult to integrate with other security systems the customer has in place, and therefore makes the sell difficult for the reseller.

Business-driven security would involve consolidating the security providers down, and this move conversely reflects some of the consolidation that is happening in the security space itself. IT vendors are, through acquisitions and organic growth, developing holistic security ’stacks’ as they are creating stacks in other technology fields, and the benefits for customer and reseller alike are significant, Lee argues.

“Resellers have a great opportunity to offer professional services to customers through this consolidation process, and in helping the technology executives build the business strategy to take to the board, and then helping to plan through the consolidation process,” Lee states.

A reseller is in a far better position to help the security professional ‘sell’ a solution to the board if the overall impact of that solution is immediately qualifiable in relation to the overall security strategy. To put it simply; being able to provide executives with a complete solution is a far more effective way to get them on board with a security solution than having to explain how each piece will fit together. The more efficient and effective security solution will also result in better security outcomes, which will also be easier to report back to the board each quarter.

Slideshows

ARN Connect - How can partners create customer value through cloud and security?

This exclusive ARN Connect event, in association with Juniper Networks and Westcon-Comstor, deep dived into the key customer priorities during the next 12 months, outlining emerging partner opportunities while drawing up a blueprint for cloud and security success.

Selling beyond the CIO – How partners can influence the new breed of tech buyers

This ARN Roundtable, in association with Oracle, highlighted the emergence of a new breed of technology buyer, assessing how partners can engage outside of IT, and the skills required to sell across new business units.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.